Since I noticed my ethernet connection performance as being saturated on my Windows 2012 R2 server, I ran the netstat command & noticed alot of ip addresses having established connections to 3389. When looking further, I see that these ip addresses are from many different countries like korea, china, russia, turkey... What can I do to prevent these rogue connections? Are they authenticating to my server? Could there be an app on the server thats allowing this?
See only one example below:
C:\Windows\system32>netstat -na | find "3389"
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 192.168.220.20:3389 188.8.131.52:57070 ESTABLISHED
TCP 192.168.220.20:3389 184.108.40.206:57184 ESTABLISHED